SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    First Secure Site

    Hello,

    I'm just finishing my first website involving user input into my database and I'm nervous about security since it seems that there are so many things that one could do to attack a site. I don't want to put my head in the sand, but I don't want to be neurotic about it either. Basically, what I have at the moment is restricted page access to two type of users, those who I know ( a group of educators), and those I don't (students), using the Zend Framework restrict access. The educators will be uploading content using a WYSIWIG, while the students will be uploading solutions to quizzes, no WYSIWIG, but text. For form validation, I'll be using client side validation via javascript.

    The question that I have then is, what's the cleanest, simplest way to "sanitize" user input via PHP or Zend Framework (the documentation had me spinning!), knowing that my users will be using a WYSIWIG editor.

    Thanks so much...I know that this is a very broad and deep topic.

    -Eric

  2. #2
    SitePoint Zealot stikkybubble's Avatar
    Join Date
    Sep 2006
    Location
    Pluto
    Posts
    182
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    html special chars: it's a php built-in function. That's my suggestion.

    There was another one as well. I can't remember without looking it up.

    Essentially this function turns anything that looks code-y into harmless stuff. It's still possible for someone to predict that and I think escape characters they type in (double escape cancels itself out). I think perhaps the other function is to do with mySQL.

    I may look this up in a bit. Sorry ages since I did this and I have had very little sleep. But I am *trying* to be helpful as nobody has answered your question at all ... !


    LATER:

    OK I had a very quick look. And this is an exerpt from a script I cobbled together in a hurry a long time after I did most of the coding on the site in question - so much less thought went into it than the main stuff. It's deep inside a secure area of the site.

    But here is an example that might help:

    if ($_POST['venInfo'] != '') {
    $bumf = trim($_POST['venInfo']);
    $bumf = stripslashes($bumf);
    $bumf = mysql_real_escape_string($bumf);
    }

    trim() gets rid of any whitespace, obviously
    stripslashes() - stop them trying the double-escape trick. But they CAN STILL fool this by adding MORE slashies I think. Anyway, you still need
    mysql_real_escape_string() which is supposed to render things harmless for insertion into a mysql database.

    I *think* there may have been an issue with html special chars and a mysql database. Just to f*** you up! I have a feeling I found out the hard way. I may be wrong but I think the classic example is trying to enter a surname like O'Grady and finding that the apostrophe comes back with a slashie when you retrieve the data. Something like that. It doesn't blow up or anything drastic like that. Just make sure you test your php/mysql with entries that include realistic but unusual characters that might get escaped, to be sure that you get back what you put in.

    I am a bear of very little brain, don't take my word for all of this. But hopefully you now have a few key words to look up and that will help a lot.

    EDIT: I think I may also have needed stripslashes because I escaped things already before using POST. Whatever. You can look up exactly what all these things do very easily!

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Actually this has been very helpful. Thanks for pointing me in the general direction!

  4. #4
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use PHP PDO parametrized queries, and forget about encoding, striping slashes, etc as far as trying to inject sql into the database. PDO parametrized queries handles sanitizing sql injection attacks for you.

    [QUOTE=kreut;4845411 For form validation, I'll be using client side validation via javascript.[/QUOTE]

    No. client side validation is not secure. At the least you will want server side validation. You can use both, but if you have to choose one, then use server side.

    As for making sure they are entering valid html, use HTML purifier

    For users that can only enter text, use strip_tags() to remove any html they try and enter.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •